java - 您可以反编译任何 .jar，这不是很奇怪\不安全吗？

Question

关闭。这个问题是 opinion-based 。目前不接受答案。

---

想要改进这个问题吗？更新问题，以便 editing this post 可以用事实和引文来回答它。 .

已关闭 7 年前。

Improve this question

我的意思是，这还好吗？

如果我编写了一个程序，但我不想共享它的代码，实际上没有办法实现这一点，可以< em>反编译真的很容易! (谈论 jar )，

这不是一个严重的问题吗？它与其他语言不一样(不像java那么容易)。

编辑:我不是在问如何防止这种情况，而是在问为什么？

Answer 1

使用工具或库混淆代码。

有关此主题的更多信息，请参阅:https://www.owasp.org/index.php/Bytecode_obfuscation#How_to_prevent_Java_code_from_being_Reverse-engineered_.3F其中描述:

How to prevent Java code from being Reverse-engineered ? Several actions can be taken for preventing reverse-engineering :

Code Obfuscation.

This is done mainly through variable renaming; see next paragraph for more precisions,

Suppression of End Of Line Characters. This makes the code difficult to parse, Use of anonymous classes for handling events. This seems not to be handled by many Decompiler; however, JAD copes pretty well with this.

Class file encryption.

This implies some overhead for uncyphering at runtime. Several tools are available:: Canner, by Cinnabar Systems, or JLock by JSoft. They are available for evaluation, and the first is proposed currently for Windows Platforms only. Replacing the method names with certain characters e.g '/' or '.' in the class header causes the popular decompilation tools such as JAD to dump the source code which is incomprehensible (you cannot determine the control flow from the source).

Note: Beware of 100% Java solutions using encryption to protect class files as these are more than likely snake oil. Since the JVM has to read unencrypted class files at some point, even if the class files are encrypted on the disk, they will have to be decrypted before being passed to the JVM. An attacker could modify the local JVM to simply write the class files to disk in their unencrypted form at this point. (See: Javaworld article).

Conjecture: It's is very easy to circumvent these methods to reveal bytecode using a Java profiler.

What obfuscation tools are available ? A lot of tools exist for Java code Obfuscation. You can find extensive lists under following URLs, or simply type 'obfuscator' in your favorite search engine :http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/ http://proguard.sourceforge.net/alternatives.html

KlassMaster, shrinks and obfuscates both code and string constants. It can also translate stack traces back to readable form if you save the obfuscation log.

Proguard is a shrinker (make code more compact), and optimizer and obfuscator. Jode is a decompiler, an optimizer and an obfuscator. It contains facilities for cleaning logging statements,, Jarg,

Javaguard, which is a simple obfuscator, without many documentation,

CafeBabe, which allows precise view of Bytecode files and single file obfuscation; a good tool for teaching ByteCode Structure, more than a production tool.

如果您想防止“代码篡改”，那么我建议您对 jar 文件进行签名。如果被篡改，这将使 jar 无法使用。欲了解更多信息，请参阅:https://docs.oracle.com/javase/tutorial/deployment/jar/signindex.html